To print the text from this module, select "Print" from the "File" menu.
When you're finished, select "Close" from the "File" menu to return to the course.
Despite the slowness of the legal change process, we can identify four fairly distinct roles or "lanes in the road" pertinent to Computer Network Defense, or CND. CND consists of actions taken to protect, monitor, analyze, detect, and respond to unauthorized activity within DoD information systems and computer networks. The four lanes that will be addressed are the Service Provider lane, the Law Enforcement lane, the Intelligence lane and the Warfighter lane. This topic will present the four lanes, and the legislation, and court opinions relevant to each. In addition, we will compare and contrast Service Providers, Law Enforcement, the Intelligence community, and the Warfighter. This analysis was presented in the Summer 2002 edition of the IANewsletter, accessible through the link on this page, and has proved to be a useful foundation for sorting further case law.
First we'll turn to the Service Provider lane. Representative service providers include Defense Information Systems Agency, or DISA; Computer Emergency Response Teams, or CERTs, from each service; and each network Designated Approving Authority, or DAA. System administrators can be viewed as service provider representatives. But, as we shall see, they fall into other lanes, as well. Generally, System Administrators have the responsibility of protecting their computer networks. This function is not limited to DoD systems, although there are some critical distinctions. DoD system administrators are subject to the Fourth Amendment, as they are performing a government action. On the other hand, they do not provide a communications service to the public, hence, are able to share information gathered from DoD systems, as opposed to the restrictions placed on public Internet Service Providers (ISP) by the Electronic Communications Privacy Act.
Service providers tend to be on the front lines of cyber attacks. Because of the service provider exception to the general prohibition against interceptions, they can provide important and timely notification of an attack. Absent consent, law enforcement, counterintelligence or intelligence agents would generally require a Title III court order or a Foreign Intelligence Surveillance Act, or FISA, court order respectively to intercept such communications. Note that the USA PATRIOT Act also added the computer trespasser exception as an exception to this general requirement. Obtaining court orders can be a trying and time-consuming proposition. We will address later in this course the scope and limitations of the Service Provider exception.
An Intrusion Detection Device sounds the alarm! What is it? Prelude to cyberwar, theft of proprietary information, a juvenile hacker? Where attribution and intent are unclear, often the most appropriate response is to initiate a law enforcement investigation, which brings us to the second of our four lanes of the road. Law enforcement agencies include: the Federal Bureau of Investigation, or FBI; the U.S. Attorneys Offices, and the Defense Criminal Investigative Organizations, or DCIOs. DCIOs include the Air Force Office of Special Investigations, or AFOSI; the Naval Criminal Investigative Service, or NCIS; the U.S. Army Criminal Investigative Division, or CID; and the Defense Criminal Investigative Service, or DCIS. Note that the dual nature of some of the agencies, operating as both law enforcement agencies and counterintelligence agencies may complicate application of the law. More will be discussed on this issue in the section on the third lane.
The overriding limitation to activities in the law enforcement area is the Fourth Amendment to the U.S. Constitution. Thus, law enforcement agents must generally obtain court authorization whenever their activities would contravene one’s reasonable expectation of privacy. In fact, however, it is additional statutory layers of protection that Congress has added over the years that have caused the most difficulty. Indeed, until the passage of the USA PATRIOT Act, many argued that law enforcement agents could not legally monitor an illegal intruder on a Government computer, without the hacker’s consent or a court order.
When investigating computer crime that originates outside the United States, law enforcement officials may be bound by time-consuming legal and political processes. The Convention on Cybercrime was an attempt to bring about international cooperation in fighting cybercrime. As of January 2004, 33 countries signed it, but only four of the necessary five countries ratified it since it was opened for signature in November of 2001. Select the Convention Status link for an updated listing.
Intelligence organizations include the Central Intelligence Agency, or CIA, the Federal Bureau of Investigation, or FBI, Department of Defense intelligence bodies, such as the National Security Agency, or NSA, and the intelligence components of the Services, and many more.
During the course of protecting DoD's Global Information Grid from an intruder, it may be appropriate for an intelligence component or a DoD counterintelligence element to become involved. The intelligence arm of DoD is limited in its collection of information by the Foreign Intelligence Surveillance Act, Executive Order 12333, DoD Directive 5240.1, and DoD Regulation 5240.1-R. This framework balances the protection of U.S. persons’ rights to privacy with the interest in protecting against a foreign threat.
Executive Order 12333 limits the activities of intelligence organizations, specifically as to collection against "U.S. persons," as defined in Executive Order 12333. Initial information leading to intelligence investigations often comes from the law enforcement or service provider lanes. Intelligence agencies usually rely on consent, the computer trespasser exception, and FISA warrants to obtain information.
The warfighter lane is the least defined. The President is Commander-in-Chief, but the exact scope of his powers has seldom been the subject of a challenge before the Court. On the rare occasion when it has, the Court has seemed intent on preserving a balance of powers between the three branches of government. Each component within DoD has personnel responsible for managing and defending their respective computer systems and networks. When there is an attack on DoD networks, these personnel take those actions necessary to restore service and defend against the attack. Primarily, this involves notifying law enforcement of suspected criminal activity, counterintelligence elements if there appears to be a foreign espionage threat, and taking internal actions necessary to restore service and protect against subsequent attacks. The ASD(C3I) (now NII) Memorandum, Guidance for Computer Network Defense Response Actions, dated 26 Feb 03, outlines the limits of permissible actions by DoD systems administrators at the enclave (base, camp, post, or station) and Service levels. Once a threat rises to the level of a DoD threat, it falls within the authority of USSTRATCOM.
Domestically, if the warfighter authority is exercised under the President's constitutional authority as commander-in-chief, such authority would arguably supersede domestic statutes such as the Federal Wiretap Act, the Computer Fraud and Abuse Act, and the ECPA, though as indicated earlier, the case law is scant and somewhat unclear. Compliance with constitutional requirements, such as the Fourth Amendment would still generally be required, subject to the myriad of exceptions already recognized by the courts.
Internationally, the United Nations Charter, Article 51, defining self defense, and Article 2(4), defining unlawful use of force, together with Chapter VII, outlining allowable activities of the Security Council, are sources for the debate on what is legal behavior for warfighters. There is still some question as to whether these provisions even apply to "information warfare." The Law of Armed Conflict probably does apply, but requires new interpretations of terms, since much of the Law of Armed Conflict predates computers.
Computer network operations are unique in that they can be conducted anywhere, including the U.S. This is the basis for examining the applicability of domestic statutes and the Fourth Amendment to the military action. If the actions take place outside the U.S., it will be appropriate to examine the applicability of international law, including the U.N. Charter, Treaties, and Status of Forces Agreements.
Policy from the Office of the Secretary of Defense, or OSD, and the Standing Rules of Engagement, or SROE, are the primary sources of legal and policy guidance. Legal rules derive from domestic law and international law, including pre-hostilities and the law of armed conflict.
Each component within DoD has personnel responsible for managing and defending their respective computer systems and networks. When there is an attack on DoD networks, these personnel take those actions necessary to restore service and defend against the attack. Primarily, this involves notifying law enforcement of suspected criminal activity, notifying counterintelligence elements if there appears to be a foreign threat, and taking appropriate actions necessary to restore service and protect against subsequent attacks. The ASD(C3I) (now NII) Memorandum, Guidance for Computer Network Defense Response Actions, dated 26 Feb 03, outlines the limits of permissible response actions by level (Tier 1, 2 or 3) and sets out the requisite approval authorities for such actions. It is very important that local JAGs and legal advisors become familiar with the CNDRA policy. Because the policy is FOUO, it could not be included within these materials, but you may link to it with your PKI certificate at the IASE web page.
As already mentioned, each Combatant Command, Service and Agency is responsible for the day-to-day defense of its computer networks. U.S. Strategic Command, also known as USSTRATCOM, is responsible for the DoD-wide defense of the DoD's Global Information Grid, or GIG. This is orchestrated through USSTRATCOM's operational element, the Joint Task Force - Global Network Operations, or JTF-GNO. There are many Global Network Operations initiatives being developed by the Joint Task Force as part of the comprehensive CNDRA road ahead. Currently there is a strong partnership between military members responsible for defense: service providers, intelligence components and DCIO's within DoD; and agencies outside DoD, such as FBI, NCS, and other DOJ agencies. This team is a domestic action response team, whose purpose is to speed up the process of gaining attribution through U.S. based assets and the international community.
An important part of this process is working with the civilian telecommunications sector, through the National Communications Systems, or NCS, to fully implement cooperative sharing of information between the government and our industry partners provided for in the Homeland Security Act of 2002.
As Computer Network Operations evolve, so too must the Standing Rules of Engagement also known as the SROE . The SROE are set out at CJCSI 3121.01A . "The purpose of the SROE is to provide implementation guidance on the application of force for mission accomplishment and the exercise of the inherent right and obligation of self-defense."
Select the correct response to the question.
Select the correct response to the question.
The complex relationships of laws pertaining to Computer Network Defense require the attention of the Staff Judge Advocate to advise the command as to what is and is not legally permitted. It is for this reason that we use the "lanes of the road" approach. This approach permits a structured application of the appropriate legal regime (service provider, law enforcement, intelligence, or warfighter) based on the "role" of the actor.